Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure.

The apps flagged with at least one problem have been installed more than 2.4 billion times.

The problems are basic, not sophisticated. 29 apps let user traffic leak outside the encrypted tunnel, including the DNS lookups that reveal which websites you visit. 61 apps send some data in plain text that anyone watching the traffic on that network can read.

Five of those send the app’s configuration file in the clear, which lets an attacker on the network redirect the connection to a server they control.

The system, called MVPNalyzer, was presented at the NDSS security conference in February 2026 by researchers at the University of Michigan, the University of New Mexico, and IIT Delhi.

It is a mobile counterpart to the same lab’s earlier VPNalyzer study of desktop VPN software, and the researchers describe it as the first framework built to systematically and repeatedly audit Android VPN apps.

A VPN wraps your traffic in an encrypted tunnel so your internet provider, or an eavesdropper on the network, cannot see what you are doing. The trade-off is that the VPN app now sees all of it. You are not removing the need to trust someone. You are moving that trust from your internet provider to whoever built the app.

The study asks whether these apps earn it. For many, they do not.

The most serious flaw: tunnel hijacking

The worst finding involves those five apps that download their configuration file without encryption. That file tells the app which server to connect to. If it travels in plain text, an attacker on the same network, say a public Wi-Fi operator, can rewrite it in transit and point the app at a server they control.

Architecture of the MVPNalyzer framework

The user connects, sees the usual “connected” screen, and routes everything through the attacker. The researchers built this attack and confirmed it worked on phones under their control.

They flagged the issue for all five providers as a priority. Two responded, both promising to move the file to HTTPS. One said it would send the configuration files “securely using HTTPS with proper certificate validation.” The other three had not acknowledged it.

Leaks, and apps that hide nothing

Of the 29, 24 leaked DNS traffic, exposing the sites users visited to the local network; those apps alone account for about 360 million installs. Six leaked full browsing traffic outside the tunnel, and four ran “tunnels” with no encryption at all, with some apps failing in more than one way.

Separately, 169 apps made no attempt to disguise their traffic as anything other than a VPN, so a network operator or government censor can spot and block them with basic tools. Nearly two-thirds of those apps advertise that they beat blocking or unlock restricted content. They make the…


Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at [email protected]

 

 

Categorized in:

Blog,

Last Update: July 10, 2026